‘Unauthorized Individual’ Accessed SSH File, Company Says
Web hosting giant GoDaddy confirms that a data breach has affected about 28,000 of its customers’ web hosting accounts, according to a news report. The company has reset passwords and usernames for some customers as a precaution, although it says no data appears to have been altered, it states in a notification letter to clients.
See Also: The Holistic Approach to Preventing Zero Day Attacks
GoDaddy filed a breach notification letter with the California Attorney General’s Office this week. In the letter, Demetrius Comes, the company’s CISO and vice president for engineering, notes that an “unauthorized individual had access to your login information used to connect to SSH on your hosting account.”
Comes notes that the intruder who accessed and altered an SSH file has now been removed from the company’s hosting environment and blocked from the network. And while the company’s security team did not find that any customer accounts were modified, Comes adds that customers’ usernames and passwords have now been reset.
“Out of an abundance of caution, we recommend you conduct an audit of your hosting account,” Comes says. “This incident is limited in scope to your hosting account. Your main GoDaddy.com customer account, and the information stored within your customer account, was not accessible by this threat actor.”
Delay in Discovery
A GoDaddy spokesperson confirmed earlier this week that about 28,000 customer accounts were affected, Bleeping Computer reports.
This security incident happened in October 2019 and was discovered on April 23, Bleeping Computer reports. At that time, the affected SSH file was removed, and GoDaddy began resetting customer’s credentials.
In its latest financial report in February, GoDaddy reported that at the end of 2019, the company had 19 million web hosting customers. Net income for the year was approximately $139 million with total revenue of about $3 billion.
And while it’s not clear whether the hacker in this case gained access to credentials by stealing them or using brute-force methods to guess passwords and usernames, the incident is a reminder for all companies to closely monitor who has access to privileged credentials and how they are used, says Matt Walmsley, a director at the cybersecurity firm Vectra.
“It’s a sharp reminder that the monitoring of how privileged credentials are used, not just granted, can make the difference between detecting an active attack and being blissfully ignorant to a breach,” Walmsley tells Information Security Media Group.
In March, security blogger Brian Krebs reported that a GoDaddy employee was targeted during a spear-phishing attack, which gave the attackers access to some customer records and also allowed the hackers to change DNS settings of some hosted sites, including Escrow.com.
It’s not clear if there’s any connection between that phishing incident and the altering of the SSH file at GoDaddy.
A GoDaddy spokesperson for the company could not be immediately reached for comment on Thursday.